P
US11601413B2ActiveUtilityPatentIndex 51

Single sign-on control function (SOF) for mobile networks

Assignee: NETSIA INCPriority: Oct 14, 2019Filed: Oct 14, 2020Granted: Mar 7, 2023
Est. expiryOct 14, 2039(~13.3 yrs left)· nominal 20-yr term from priority
Inventors:YIGIT BEYTULLAHALTAY CANGORKEMLI BURAKCIVANLAR SEYHAN
H04L 63/0815G06F 21/41H04W 12/48H04W 12/06H04L 63/0807H04W 12/062
51
PatentIndex Score
0
Cited by
3
References
20
Claims

Abstract

A new control function is defined for the control plane of a 5G mobile network to enable the operator's mobile user, who is using a premium network slice, to access application services on the public Internet, by operator sign-on only when accessing the application on said slice. This unique single sign-on capability allows the user to bypass the service authentication after operator authenticates the mobile device by the user session establishment procedure. The new function registers a plurality of service applications, which sign-up for single sign-on capability. It also coordinates the mapping and storage of credentials of the user across the mobile operator's service and the service provider's application for each of said plurality of service applications, and transfers user credentials to the application so that the user's sign-in step is bypassed.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. An article of manufacture comprising non-transitory computer storage medium storing computer readable program code which, when executed by a computer, implements a method as implemented in a Single Sign-On Function (SOF), the article of manufacture comprising:
 (a) computer readable program code implementing a first communication interface to communicate with a session management function (SMF) component, the first communication interface communicating user's mobile network-specific authentication information; 
 (b) computer readable program code implementing a second communication interface to communicate with a Unified Data Management (UDM) component, the second communication interface communicating registry information and service application-specific user authentication information to the UDM; 
 (c) computer readable program code implementing a third communication interface to communicate with a User Plane Function (UPF) controller, the third communication interface communicating specific routing policies based on an IP address of one or more data packets originating from a User Equipment (UE) to enable a single sign on (SSO) service with the UPF controller; 
 (d) computer readable program code implementing a fourth communication interface to communicate with at least one application authentication server, the fourth communication interface: (1) communicating with the at least one application authentication server to register at least one application service and, after registering, (2) communicating with the at least one application authentication server to receive a digitally signed SSO ticket assigned to the UE that is connected to a mobile network, 
 wherein the SOF is implemented in a control plane and the UE is associated with at least one premium network slice, and a unique private IP address (user_IP_address) is assigned to the UE; and 
 wherein the SOF sends a special packet forwarding instruction to the UPF Controller to route the one or more packets received by UPF that is sourced by the user_IP_address of the UE to a service_IP_address of the at least one application authentication server. 
 
     
     
       2. The article of manufacture of  claim 1 , wherein when the UE connects to the mobile network and attempts to access the at least one application authentication server, the SOF intercepts such an access request and presents the digitally signed SSO ticket on behalf of the UE, and enables the at least one application authentication server to immediately create and send a digitally signed cookie or an application pass to a client associated with the UE, after which, the UE does not need subsequent authentication until the cookie or the application pass has expired. 
     
     
       3. The article of manufacture of  claim 1 , wherein the SOF allows bypassing of sign-in procedures of at least one service application once an operator authenticates the UE by providing a secure mapping of user credentials from a domain associated with the mobile network to another domain associated with the at least one service application. 
     
     
       4. The article of manufacture of  claim 3 , where the at least one service application comprises a mobile web application. 
     
     
       5. The article of manufacture of  claim 1 , wherein the digitally signed SSO ticket comprises any of, or a combination of, the following: a telephone number associated with the UE, a social security number associated with the UE, and a pre-defined length of time applicable to SSO. 
     
     
       6. The article of manufacture of  claim 1 , wherein the fourth communication interface comprises a plurality of additional interfaces and the at least one application authentication server comprises a plurality of application authentication servers, wherein each interface within the plurality of additional interfaces associated individual application authentication servers in the plurality of application authentication servers. 
     
     
       7. The article of manufacture of  claim 1 , wherein the fourth communication traverses the public Internet as well as a user plane (UP) of a mobile core network between the at least one application authentication server and the SOF through a secure, encrypted, connection. 
     
     
       8. The article of manufacture of  claim 7 , wherein secure, encrypted, connection is any of, or a combination of, the following: a VPN or an IPSec tunnel. 
     
     
       9. The article of manufacture of  claim 1 , wherein the SOF is implemented as any of the following: a Virtual Network Function (VNF) or Physical Network Function (PNF). 
     
     
       10. The article of manufacture of  claim 1 , wherein the SOF is co-resident with the SMF. 
     
     
       11. The article of manufacture of  claim 1 , wherein the SOF comprises a resident database storing registration information. 
     
     
       12. The article of manufacture of  claim 1 , wherein the UDM component stores registration information. 
     
     
       13. A method as implemented in a Single Sign-On Function (SOF), the SOF comprising (i) a first communication interface to communicate with a session management function (SMF) component, the first communication interface communicating user's mobile network-specific authentication information; (ii) a second communication interface to communicate with a Unified Data Management (UDM) component, the second communication interface communicating registry information and service application-specific user authentication information to the UDM; (iii) a third communication interface to communicate with a User Plane Function (UPF) controller, the third communication interface communicating specific routing policies based on an IP address of one or more data packets originating from a User Equipment (UE) to enable a single sign on (SSO) service with the UPF controller; (iv) a fourth communication interface to communicate with at least one application authentication server, the fourth communication interface: communicating with the at least one application authentication server to register at least one application service and, after registering, communicating with the at least one application authentication server to receive a digitally signed SSO ticket assigned to the UE that is connected to a mobile network, the SOF is implemented in a control plane and the UE is associated with at least one premium network slice, the method comprising:
 (a) securely registering the at least one application authentication server, wherein the registering comprises receiving the following information from the at least one application authentication server: (1) a unique service-ID or name, and (2) an IP address(es) or hostname; 
 (b) sending received information in (a) to the UDM; 
 (c) receiving the digitally signed SSO ticket and a telephone number of the UE; 
 (d) sending the digitally signed SSO ticket and a telephone number of the UE to the UDM for storage; 
 (e) assigning a unique private IP address (user_IP_address) to the UE when the UE connects to the mobile network; and 
 (f) sending a special packet forwarding instruction to the UPF Controller to route the one or more packets received by UPF that is sourced by the user_IP_address of the UE to a service_IP_address of the at least one application authentication server. 
 
     
     
       14. The method of  claim 13 , wherein when the UE connects to the mobile network and attempts to access the at least one application authentication server, the SOF intercepts such an access request and presents the digitally signed SSO ticket on behalf of the UE, and enables the at least one application authentication server to immediately create and send a digitally signed cookie or an application pass to a client associated with the UE, after which, the UE does not need subsequent authentication until the cookie or the application pass has expired. 
     
     
       15. The method of  claim 13 , wherein the SOF allows bypassing of sign-in procedures of at least one service application once an operator authenticates the UE by providing a secure mapping of user credentials from a domain associated with the mobile network to another domain associated with the at least one service application, where the at least one service application comprises a mobile web application. 
     
     
       16. The method of  claim 13 , wherein the digitally signed SSO ticket comprises any of, or a combination of, the following: a telephone number associated with the UE, a social security number associated with the UE, and a pre-defined length of time applicable to SSO. 
     
     
       17. The method of  claim 13 , wherein the fourth communication interface comprises a plurality of additional interfaces and the at least one application authentication server comprises a plurality of application authentication servers, wherein each interface within the plurality of additional interfaces associated individual application authentication servers in the plurality of application authentication servers. 
     
     
       18. The method of  claim 13 , wherein the fourth communication traverses the public Internet as well as a user plane (UP) of a mobile core network between the at least one application authentication server and the SOF through a secure, encrypted, connection, wherein secure, encrypted, connection is any of, or a combination of, the following: a VPN or an IPSec tunnel. 
     
     
       19. The method of  claim 13 , wherein the SOF is implemented as any of the following:
 a Virtual Network Function (VNF) or Physical Network Function (PNF). 
 
     
     
       20. An article of manufacture comprising non-transitory computer storage medium storing computer readable program code which, when executed by a computer, implements a method as implemented in a Single Sign-On Function (SOF), the SOF comprising (i) a first communication interface to communicate with a session management function (SMF) component, the first communication interface communicating user's mobile network-specific authentication information; (ii) a second communication interface to communicate with a Unified Data Management (UDM) component, the second communication interface communicating registry information and service application-specific user authentication information to the UDM; (iii) a third communication interface to communicate with a User Plane Function (UPF) controller, the third communication interface communicating specific routing policies based on an IP address of one or more data packets originating from a User Equipment (UE) to enable a single sign on (SSO) service with the UPF controller; (iv) a fourth communication interface to communicate with at least one application authentication server, the fourth communication interface: communicating with the at least one application authentication server to register at least one application service and, after registering, communicating with the at least one application authentication server to receive a digitally signed SSO ticket assigned to the UE that is connected to a mobile network, the SOF is implemented in a control plane and the UE is associated with at least one premium network slice, the article of manufacture comprising:
 (a) computer readable program code securely registering the at least one application authentication server, wherein the registering comprises receiving the following information from the at least one application authentication server: (1) a unique service-ID or name, and (2) an IP address(es) or hostname; 
 (b) computer readable program code sending received information in (a) to the UDM; 
 (c) computer readable program code receiving the digitally signed SSO ticket and a telephone number of the UE; 
 (d) computer readable program code sending the digitally signed SSO ticket and a telephone number of the UE to the UDM for storage; 
 (e) computer readable program code assigning a unique private IP address (user_IP_address) to the UE when the UE connects to the mobile network; and 
 (f) computer readable program code sending a special packet forwarding instruction to the UPF Controller to route the one or more packets received by UPF that is sourced by the user_IP_address of the UE to a service_IP_address of the at least one application authentication server.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.